Security researchers have discovered a new malware campaign that uses code signing certificates and other techniques to avoid detection by antivirus software. A recent blog post from Elastic Security, the cybersecurity firm, reveals that its researchers discovered a cluster of malicious activity after reviewing its threat prevention telemetry.
Cybercriminals are getting smarter. They have figured out how to use valid digital certificates to sign their malware, so security programs won’t find them. However, this new campaign from Blister is different. The cybercriminals have created a new kind of loader for the malware. It has been named Blister by researchers because it burns like a blister on the skin, but you will never see it until it is too late.
With the help of valid code signing certificates and other counter-detection measures, these cybercriminals have been running this campaign for the past few months.
Cybercriminals have been using a code-signing certificate issued by Sectigo for a company called Blist LLC. This is how the malware was named Blister. It is also possible that the criminals are based in Russia because they use Mail.Ru as their email service.
This cybercrime group used several techniques to remain undetected. They embedded the malware into an innocent library, and then used a malicious rundll32 command to launch it with elevated privileges. The code is heavily obfuscated and was stored in the resource section of the library. Once executed, the malware decodes code that is used to ensure its survival on a computer system.
Blister is a type of malware that first decrypts its payload. This payload gives the malware the ability to move laterally across a victim’s network and access a Windows system remotely. Blister also gains persistence on an infected machine by storing a copy in ProgramData as well as another posing as rundll32.exe. In addition, Blister adds itself to Windows startup locations.
Elastic Security has notified Sectigo to have Blister’s code signing certificate revoked. But it’s only a matter of time a new certificate is generated to be used in the attack all over again.